Top 10 Best & Worst Anti-Phishing Web Registrars

Web site domain name registrars are increasingly finding themselves at the forefront of the never-ending slog against online con artists and phishers. But there is little consensus on how far registrars should go to police their pool of names for fraudulent activity, and the performance of registrars in decommissioning domain names connected to fraud scams is all over the map.

Such was one of the many findings in a "brandjacking" report released last month by brand security firm MarkMonitor. November's report, which detailed online fraud trends for Q3 of 2007, was the first to include a list of the top 10 best and worst lists of registrar performance in revoking domain names connected to phishing scams.

Domain name registrars can play a crucial role in getting phishing sites shut down, as most phishing sites use some kind of Web site name in their scam. According to the latest stats from the Anti-Phishing Working Group, 84 percent of scam sites spotted in August used a registered Web site name (the other 16 percent of phishing sites were advertised in spam as numeric Internet addresses - http://123.143.13.256, for example).

Most readers are unlikely to recognize any of the registrars in the list of the registrars that lead the industry in fighting phishing. But among the bottom performers, according to MarkMonitor, is Register.com, which took an average of 313 hours - or more than 13 days - to revoke Web site names that were used in phishing scams in the third quarter of 2007.

That's more than four times the normal life of a phishing site: The APWG says the average scam site lives online for just over three days.

Laura Mather, senior scientist at MarkMonitor, said to be fair, the company is not certain whether the registrars were notified of each phishing site used in computing the takedown times in the report. But she added that many registrars don't see phish fighting as part of their job.

"The registrars could be very powerful in phish site mitigation," Mather said. "Until recently, a lot of the registrars have taken the view that it's not their responsibility, and they worry about what problems would be caused if they take action against a domain that isn't actually a phishing domain."

Roni Jacobson, Register.com's executive vice president of product management, called the takedown averages "completely off the mark." Jacobsen said the company takes phishing "incredibly seriously," and that it has a 24/7 abuse line wherein phishing complaints involving any domains in its stable are given top priority. But she acknowledged that the company's efforts on phish fighting haven't always been what they are today.

"Over the last quarter, we have made significant improvements to be even more vigilant," Jacobson said. "Thirteen days for something like this is an extremely long time and we generally handle these things in minutes."

The APWG is currently drafting a proposal to give registrars and registries (such as Verisign and Afilias) a procedure for taking action against domains used solely for phishing, Mather said. The group could take its proposal to the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees domain policy. But that process can be lengthy and uncertain, so the APWG is trying to get the registries and registrars to implement it themselves. "We're talking to a couple of registries that are very close to being willing to adopt this."

I've found Register.com to be extremely effective, cooperative, and fast on takedowns. So I'm seriously disagreeing with this list.

There are others who are amongst the worst I've seen in 12 years of anti-phishing that didn't make the list. And they certainly should have.

Similarly, some of the best didn't make it, either. When you can call and have a takedown 'while-you-wait' .. *that's* outstanding service and shows a commitment to helping resolve the problem.

The biggest issue, IMHO, are the hosts/ISPs who shut the doors and roll up the carpets nights, weekends, and holidays. This 'little' detail is exploited to an extreme by phishers/hackers.

Also those hosts/ISPs who, when looking *directly* at a fake login page for [Brand XYZ] Bank being run off any number of legit sites, states, "We have to investigate this. And that will take up to 48 hours."

These issues *can* be resolved, and the reluctance of those companies to do so is highly questionable.

The most effective way to contain a malware problem is to take the affected system off the network. This requires contacting the ISP or web host that provides connectivity to the system.

Having the registrar remove the domain's DNS from the TLD (top-level domain) nameservers is a bit like swatting a fly with a howitzer; the granularity is poor and in the case of a false positive it could threaten life and property.

Back in early October, GSA (the registrar for the .gov TLD) responded to a report of some malware being hosted on an isolated state government system in Marin County, California by dropping ca.gov from the .gov nameservers, without even going through a proper notification process. There were reports that this affected emergency service in parts of California, and minimally it caused a tremendous waste of resources. It's not too hard to imagine how it could have killed someone (maybe it even did). Of course, emergency services shouldn't be brittle in the face of a DNS outage, but the way to find out if they are is through controlled testing, not kneejerk reaction by a registrar.

Meanwhile, US-CERT exists to provide an emergency readiness capability for the Federal government, and the Federal response, if warranted, was properly in their bailiwick; the site's ISP could have helped as well.

It's funny to see Verisign listed in the top 10. They operate the .com and .net TLD registries. The TTL (time-to-live) for NS records (nameserver DNS records) in these TLDs is 48 hours. This means that even if Verisign (or any registrar, for that matter) responds *instantaneously* to a phishing report involving a .com or .net name, any caching nameservers that have already looked up the name will continue to serve it for two days. Most of the systems at risk for phishing consult caching nameservers at major ISPs for all DNS, so if you're a Comcast customer, for example, if *any* other Comcast customer has looked up the name, you'll continue to be able to resolve it for the next two days. In other words, it doesn't make much difference what Verisign does.

Consider the above point a little longer. The TTL for .com and .net assigned by the TLD nameservers is 48 hours. In contrast, the TTL for .org names is only 24 hours, while the TTL on .biz names is 5 minutes. The TTL is up to the maintainer of the TLD name servers. The longer the time, the lower the load on the TLD name servers (because caching nameservers don't have to ask again until the record expires), but the less effective a TLD DNS response is against phishing. So one should take note that the .com and .net TLDs have the longest TTLs, so it's actually ironic that the registry operator, Verisign, is listed in the top ten for phishing response, because their registries feed the TLD nameservers that are the least effective against phishing.

And, after all, phishers can spin up new domains as needed. They have plenty of stolen credit card numbers to work with, and it only take a couple minutes to register a new domain, and a minute or two after that for it to be live, because the one thing companies have improved over the last few years is the speed at which new domains get propagated to the TLD nameservers. Trying to combat phishing at the registrar level is p*ssing in the wind at best, criminally negligent at worst.

If you want consumer protection, you're going to get better results by using the anti-phishing features of your browser and possibly an anti-phishing DNS service such as the OpenDNS service mentioned earlier. Phish fighters would be better served developing a central notification service to alert ISPs as rapidly as possible so that the actual hosting systems can be taken off the network, in which case, DNS doesn't matter.

I should clarify the above on one point I was off-base about: Network Solutions is listed in the top ten above, not Verisign. Network Solutions was acquired by Verisign in 2003, which was the basis of my comment that Verisign was listed in the top ten, but I see Network Solutions was since sold away again.

So, no, Verisign is not listed in the top ten; that is my mistake. The rest of the comment stands, however: it doesn't really matter because the .com and .net TLDs have too long of a TTL for registrar-based phish fighting to be effective compared to ISP-, browser-, or recursive DNS service-based phish fighting.

That "worst 10 performers" list is gold to phishers... now they know where to register their domains (not trying to imply, btw,that sharing this information isn't important, but just noting that it hurts just as much as it helps)

The folks over at Gandi are anti-spam zealots who work closely with Spamhaus, law enforcement, and pretty much anyone else who is willing to cooperate in the battle against spam.
They are the good guys.

Needless to say, their abuse department is stellar, as can be attested to by anyone who has ever had cause to contact them.

The appearance of Gandi on the "worst 10" list immediately calls the results and methodology of this entire study into question.

As an analogy, imagine seeing Google in a list of the "10 most cluttered search engine interfaces," or Greenpeace on the list of "10 worst polluters."

What's funny?
"Laura Mather, senior scientist at MarkMonitor, said to be fair, the company is not certain whether the registrars were notified of each phishing site used in computing the takedown times in the report. But she added that many registrars don't see phish fighting as part of their job."

To produce a worst 10 list, which can adversely affect the reputation of reputable companies would be laughable, were it not a serious and reprehensible act. Next, look at the side-bar graph. Having admitted that "to be fair" she doesn't even know if the registrar was notified, (hello?), we see an "average" response time, with no indication if there results have any statistical significance. Is a 10-day average response to a phishing report that may or may not have even been lodged, represent an average of one occasion, or 100? Even someone with the most elementary grasp of statistics will know that the sample size bears significance when quoting averages.

Finally, a little digging into the ethos of Gandi could pay dividends. For example, what percentage of their customers' registered domains are advertised in spam, compared with other large registrars? Take a look at a statistical comparison (one which includes the sample size in the "active" column) at http://rss.uribl.com/nic/

Gandi has gained renown and acclaim for its no-nonsense approach to spam and crime.

That's what I find laughable about Laura Mather's inept blather.

PS - For the record, I have no affiliation with Gandi. I do make representations to hundreds of registrars requesting the suspension of illegal domains. My experience has been that Gandi has been the fastest and most effective company at actively suspending crime sites. The real statistics at URIBL.com speak for them.

brewt> The appearance of Gandi on the "worst 10" list immediately calls the results and methodology of this entire study into question.

I see.

You can see from my earlier posting that I think the methodology and results here are weak already, but I do not see how it would matter if Gandi were listed in the top ten rather than the bottom ten.

Pulling up three phishing emails from my junk mailbox, I see nothing about the registered domains that would enable a registrar to detect their intended purpose for phishing before the fact. In a Citibank phish, for example, the phish URL uses the hostname citibusinessonline.da-us.citibank.com.ehkdor.net.ph. If Gandi were the registrar for ehkdor.com.ph, how would that stop the phisher? How would Gandi recognize that this domain is going to be used for phishing before accepting the registration? And after the phishing emails go out, on what basis would Gandi be justified in pulling the entire domain from the registry? Maybe com.ehkdor.com.ph was delegated to a phisher but the rest of the domain is being used for legitimate purposes. Just because one name in a domain is being used for phishing doesn't mean the domain itself is illicit; registrars had better be using better criteria than that before mucking with the namespace.

And as I pointed out above, pulling the domain is ineffectual against the phishing. The TTL for the domain's NS records in this phony Citibank case is 24 hours. A smart phisher will send emails using an envelope sender that names the phish domain, forcing ISP nameservers to look it up, then drop in additional NS records in the response using a very long TTL, e.g. two weeks. At that point, nothing the registrar does will help.

Disbelief> I do make representations to hundreds of registrars requesting the suspension of illegal domains.

Which makes me wonder: what's *your* methodology? How do you know when an entire domain is "illegal"?

And what's the point of this crusade? I agree that Laura Mather is off-base when she implies that phish fighting is the registrar's job, because it *isn't*. Spam is arguably a different story, because spam domains aren't so fly-by-night. But according to this article, the average phishing scam's lifetime is 3 days, so what do people think they're accomplishing by trying to fight phishing at the registrar level?

I am among those who are baffled by Gandi's inclusion in this list, and I don't feel the research behind this list is transparent enough to warrant labeling any of these registers (as it appears to be doing) as "pro-phishing."

I and numerous colleagues have been researching illegal spammers and reporting phishing incidents diligently and I can tell you for a fact: Gandi is among the best I've ever seen at investigating, verifying, and taking action against illegal websites for which they were the authorizing registrar. They don't just pull the plug site unseen. They respond directly to requests and if the information provided is not clear: they ask for more information. They also work with law enforcement in cases where more obviously illegal sites are reported (terrorist / fundamentalist / child porn / etc.)

I find it hard to believe that among this list, the absolute worst registrar I've ever dealt with is nowhere to be seen: Computer Services Langenbach GMBH DBA, aka Joker.com. It takes a minimum (it seems) of fifty complaints before they will even look at a rogue domain, even if the evidence is widespread and present in numerous department of justice (or other such supporting) press releases or affidavits. They often will only respond to a request ONLY if you send them an actual printed letter via postal mail. By the time they eventually do take down an offending site, it is several weeks past the date of the original complaint and the spammers / phishers / rogue criminals have already long ago profited from their illicit domains. This is well-documented throughout the internet (just do a search for joker.com spammer, you will see many hundreds of complaints of non-response, or extremely weak / slow response to repeated complaints.) Joker.com continue allow illegal spammers - notably the spate of Elite Herbal / GenBucks spam - to continue to register several tens of thousands of rogue domains every single day, unabated, often using known stolen credit card data. They are not helpful in any meaningful way in battling this type of cybercrime. Gandi on the other hand most definitely *ARE* helpful, but also methodical and cautious. My only connection to Gandi is as a complainant. I pay them nothing. I am not sponsored by them. My sole motivation is a deep hatred for rampant online criminal activity.

I would say that while it's definitely a "good thing" to shine the light on potentially bad operators, especially in the realm of domain name registration, a bit better overall research, or at least a description of how these results were arrived at, would be extremely prudent. As someone who's seen quite a bit of success in assisting law enforcement in shutting down these rogue websites over the past three years or more, I'm insulted that Gandi is anywhere near your "list" of registrars which you claim to be doing nothing about phishing sites or other illegal activity.

Re Why people think it's ludicrous to name Gandi among the 10 worst: While apparently Gandi used to have a bad reputation, management changes have led to extremely aggressive policies against spam, phishing, and other unsavory practices. Most of the complaints you'll see on the internet about Gandi now are from people complaining about their domains being suspended over AUP violations. The only time I ever heard of Gandi in relation to a phishing domain was when a Gandi employee was complaining on a forum that a phishing report about a site on a free hosting domain had been sent to the ISP but not to Gandi as registrar, so he had to find the report himself by searching the web. He then first attempted to contact the domain owner to get the site taken down, and when he was unable to contact him, suspended the entire domain until hearing from the owner an hour later.

While I am more involved with reporting spamvertised sites to registrars and malware infected servers to ISPs than I am with phishing, my best and worst lists would be quite different. The most responsive registrars (domains suspended within a couple hours of a report) would be Gandi, Dotster, and if you can get through their spam filters, Domainsite. The worst, considering both responsiveness and the quantity of bad domains they host, would be Xin Net, Moniker, and Beijing Innovative Linkage Technologies (dns.com.cn). I have found Naunet to be completely unresponsive, but they are so far a minor player in spam hosting for the sites I report.

And definitely, you need to know numbers to determine the statistical significance of these "average" shut down times. I don't recognize a lot of these registrars, and if they have only a small number of incidents, the numbers can be wildly skewed. As a scientist, I would have no faith in such numbers at all without information about what the total number of incidents is and what the standard deviation of the response times was. And you cannot have any meaningful data unless your start time is when the domain is actually reported to the registrar. Surely MarkMonitor is aware of the vast quantities of registrations that many registrars are processing and how much of it is being done electronically without any human intervention. Registrars don't know -- and can't act -- unless someone tells them.

Re Whether it is appropriate to try to shut down phishing sites via the registrars rather than the ISPs: Unfortunately, many phishing sites are now hosted on fast-flux botnets. There is no paid ISP, since the servers are hijacked, and the IP address of the site will change every few minutes to a new machine hosted by a new ISP. Shutting down the domain name is the only effective way to deal with this, although it does take time for caching to expire, and that can be exploited by phishers by setting long caching times.

AlphaCentauri> Shutting down the domain name is the only effective way to deal with this, although it does take time for caching to expire, and that can be exploited by phishers by setting long caching times.

I disagree. Three more effective methods have already been mentioned: phish-aware DNS resolvers for end-user systems (e.g. OpenDNS), phish-aware browsers, and the construction of a distributed, fast alerting system for ISPs, which is what people who care about spam and phishing should *really* be working on rather than doing busywork shutting down domains when it takes the phisher five minutes to set up a new one. An effective alerting system would work against the botnets and a lot of the spammers as well.

The phishers and spammers will always have an advantage in this game, because they're making money with relatively little effort, while the people struggling against them are burning out from repetitive, menial, pointless activity. If you ever want to change this game, you need to come up with a way to have the end service points taken off the net, because the namespace--by design--doesn't respond fast enough. This problem will only get worse, not better. After all, the registrars aren't making any money off of takedowns either.

Or at least focus your efforts on Phishtank, since that feeds OpenDNS.

Laura Mather, Ph D, condemns herself by her own admission, "..the company is not certain whether the registrars were notified of each phishing site used in computing the takedown times in the report" and further compounds her error by posting a statistically inept top 10 and worst 10 table.

Brian Krebs exhibits shoddy journalism by publishing such twaddle without investigating the facts. But I am confident he is honest enough to apologize for his mistakes.

Fighting phishing at the registrar level is working *against* what services like Phishtank are doing. If instead you let the phishers sit on a domain for as long as possible, these services are more effective at identifying and filtering them out for their clients (including people pointed at OpenDNS).

Every time you move a phisher along to the next domain (which he already has queued up and ready to go), the whole reporting/filtering scheme has to be restarted. It's entirely possible that this does more harm than good in the long run.

@antibozo
"the construction of a distributed, fast alerting system for ISPs, which is what people who care about spam and phishing should *really* be working on rather than doing busywork shutting down domains when it takes the phisher five minutes to set up a new one."

I agree with you 100%. I'm all for reducing the busywork, and suspending domains does feel a lot like cutting off the heads of the hydra. But having just spent hours last week trying to get to a human being at a large US ISP with hundreds of stormworm-infected IP addresses, some continuing to show up on scanning over six weeks after that ISP was notified of them, we have to work every angle available to us. If English speaking reporters can't get English speaking ISP's in the US to get serious about users whose computers are distributing trojans, we're up the creek with the up and coming ISPs in Asia, South America, Eastern Europe, and Africa.

AlphaCentauri> ... having just spent hours last week trying to get to a human being at a large US ISP with hundreds of stormworm-infected IP addresses, some continuing to show up on scanning over six weeks after that ISP was notified of them...

[Aside: well, with typical DHCP assignment, the same IP is not necessarily the same system six weeks later.]

Again, an automated alerting system, preferably with an API for ISPs, would actually help here. The one-off notifications that go through the ISP help desk don't encourage automation at the ISP end of things. A weighted, moderated system, along the lines of Phishtank, could enable ISPs to build automated quarantine behavior into their networks. Note that ISPs, unlike registrars, have financial motivation to control worms and botnets because these account for significant bandwidth consumption.

I can also imagine going in a more gonzo direction with it, at least with the more recalcitrant ISPs, and proving an agent for end systems that not only provides filtering for the end user but attempts to mitigate nearby activity, e.g. by forging disruptive gratuitous arps if a bot-infected system is in the same broadcast domain, effectively bypassing ineffectual ISP help desks and blackholing the compromised systems directly.

I would like to thank you for your wonderful support, and for bringing this blog entry to Gandi's attention. You all know us for the strongly anti-phishing and anti-spam registrar that we are, and your support is greatly appreciated. Thank you.

Brian, and the Washington Post have refused to allow Gandi to voice its objection to the article in light of its clear factual errors, to withdraw it, or even to allow us to comment on what is a very shocking and defamatory attack against us.

Here are the facts.

Mark Monitor is a domain name registrar and a direct commercial competitor of Gandi - a fact totally omitted from Brian's article. Consequently, one must take this into consideration this when reading their press releases.

No methodology has been presented by Brian in the article to support, or even give a context to the ranking of registrars. Not only does the article leave out the important mater of how the list was created, but even the comment of Laura Mather indicates that the methodology requires further scrutiny.

The link given by Brian in the article to the press release in question goes to an unrelated release entitled "MarkMonitor Reports Recalled Toys Continue to Be Sold Online and Gift Card Scams Threaten Identities". It is therefore impossible to verify the source information of Brian's article as given.

Not only has Brian misrepresented the business interests of Market Monitor, he has not presented any valid source of the claims.

The article's only quoted statistics (on the percentage of phishing sites using domain names, the average life of a phishing scam) are said to come from the "Anti-Phishing Working Group". If one looks more closely at that source, one quickly finds that Mark Monitor is not only a Steering Committee member of the group, but also a primary source of APWG's phishing statistics.

Thus Brian is attacking Gandi based on the press release and report of only one source, a direct competitor of Gandi, and he fails to produce a reliable source of the registrar ranking or its methodology that are presented. Also, no explication has been given as to why Gandi's name (which is also incorrect, as it should read Gandi SAS and not Gandi Sarl) has been highlighted in black, nor why and/how it could possibly have the identical response time in hours and minutes to another registrar on the list.

I disagree with Brian's opening claim that most readers are unlikely to recognize Gandi as a leader in the fight against phishing. The comments alone are testimony to how well-known and respected Gandi is within the community of concerned citizens and IT abuse specialists with regards to our commitment to fight internet abuse. Indeed, this is a favorite subject of our own blog, for example:http://www.gandibar.net/post/2007/01/11/Gandi-fights-back-against-domain-abuse

While not disagreeing with the claim that phishing scams are often very short-lived, I must also mention that the problem is more complicated than Mark Monitor - and thus Brian - present it as fits their needs.

There are fraudulently-registered domains for the only purpose of phishing, there are innocent people who have their websites hacked, and there are web hosts that have a customer hosting a phishing scam on a subdomain of their own. Each of these cases requires a different approach, one that is never shoot-from-the-hip. But I discuss this elsewhere: http://www.gandibar.net/post/2007/02/05/CNET%3A-Gandi-protects-your-domain

Finally, Gandi is highly pro-active in its fight against phishing and spam. Not only do our team members actively participate in anti-spam and anti-phishing forums and newsgroups in order to stay up-to-date with the latest scams, we have a dedicated abuse team that performs regular internal searches to weed out fraudulent phishing domains - before they are reported.

If we receive a complaint, it is immediately processed. But not only do we take action against the domain in question, we also assure that the same customer does not have other domains that have gone unnoticed. We go beyond what is asked of us, because it is ethical, and because we are assume with pleasure our responsibility and obligation to make the internet a safer place for everyone.

Once more, I thank all of you who have come out to set the record straight with regards to Gandi and to defend us against this wholly unjust and scandalous attack. I invite you all to visit our blog if you would like to continue the discussion with me on this passionate topic!

Scans are done every 2-3 days and each ISP receives a single report of all their infected IP addresses and the timestamps when they were first/last observed, and yep, some IP addresses are showing up on every single scan over the entire period. As far as recalcitrant ISP's, the one I was calling wasn't even one of the top three, just the one for which electronic communication had utterly failed.

The problem of bots on U.S. ISPs is huge. In the case of a DDoS attack, while it's easy to block all IP addresses in Russia, the target would have to block all communication from a huge percentage of U.S. computer users to block all the IP addresses from "recalcitrant" ISPs.

> The problem of bots on U.S. ISPs is huge. In the case of a DDoS attack, while it's easy to block all IP addresses in Russia, the target would have to block all communication from a huge percentage of U.S. computer users

Yes, I'm not sure where you're going with that. Domain takedowns don't help at all against a botnet that is being used for DDOS.

I was musing about an agent for end users to run on their systems, and which participates in a distributed botnet-mitigation system. If these users are distributed over roughly the same space as the botnet nodes, they can disrupt those nodes where they are, especially where broadcast media are used. It's a voluntary anti-botnet, if you will. If this were coupled with a well-distributed system for identifying malicious nodes, it could actually work against even a botnet DDOS.

The less intrusive method, which I'm more serious about, provides a *trustworthy* feed which good ISPs can use to quarantine or throttle botnets automatically, and mail services can use as an RBL.

The trick would be designing such a system so that it couldn't itself be turned into a DDOS tool. Whether the ISP or individual users' systems are doing the mitigation, the data has to be authenticated somehow so that the system can't be subverted by someone who just punches in a bunch of IPs he wants to kill. That is why I point out Phishtank as an example architecture, because it has a moderation system.

It is crucial that the system be secure against subversion because it is the only way ISPs could trust it for automated processing. As long as submissions are coming from individuals, no matter how trustworthy, they have to go through ISP help desks as a test for plausibility. If you want an advantage against the botnets, you need to get human beings out of the mix at the mitigation end.

Ideally such a system would:
- be widely distributed, so that botnet operators couldn't target it with a DDOS;
- be moderated, so that submissions could be vetted by some weighted group of users before being characterized as malicious;
- require authentication for all submissions, so that malicious submitters could be identified, and good submitters and moderators could be suitably weighted;
- use innocuous protocols so that inimical ISPs couldn't easily disrupt communications or identify participants;
- preserve suitable anonymity for participants so that they couldn't be targeted individually by DDOS;
- be free and open-source, and written in a language that provides good security services.

For example, a system could use something like the following:
- DNS to supply the data to service providers via AXFR of .in-addr.arpa.-like zones for bulk IP lists to ISPs, and single RBL lookups for anti-spam/anti-malware engines;
- Jabber to distribute submissions and moderation traffic between participants and multiple hidden, possibly mobile, compilation nodes.

One could look at Skype for other ideas on designing the submission/moderation network to be resilient and self-balancing. The point is to build a system that goes beyond helping people report malicious nodes, and provides a robust service that automated processes can *trust*.

>> "Yes, I'm not sure where you're going with that. Domain takedowns don't help at all against a botnet that is being used for DDOS."

This thread has wandered away from the registrar discussion, but let's follow it on its tangent.

"Domain" takedowns are not relevant, and the previous poster did not advocate that in this instance. For botnets, the process is to report the IP to the ISP, (not the registrar), with datestamp/timestamp/TZ. The ISP uses the log lookup tool to find the subscriber and then takes action as per the Terms of Service. This is usually a request to disinfect the machine, or else a suspension of Internet access until the customer responds with the "all clear". It is explained in more detail at http://spamtrackers.eu/wiki - "Reporting and Terminating Botnets"

The larger ISPs have their own DDoS mitigation processes in place to detect and prevent DDoS egress in real time. Unfortunately, they are sometimes unresponsive to disinfection requests, based on this implementation of DDoS mitigation. Unfortunate, because many requests relate instead to botnet hosting of illegal proxy servers (porn, gambling, fake watches, fake pharmacies, software piracy etc), adware, malware, and outright trojans, such as Storm "worm" and Warezov. DDoS mitigation on egress does not factor into that.

Granted, there are efforts to deactivate botnets at the C&C level, but that ignores the grass roots clean-up required at the infected mom-and-pop's home machine level. And that is the responsibility of the ISPs, if they look at their own Terms of Service and act upon them.

Disbelief> For botnets, the process is to... The IP lists of such infections are available from various botnet researchers...

Yes, yes, I'm fully familiar with the process; you and I and countless others have been playing that game for years. And where are we now? Spam is perpetually at its highest levels ever. This repetitive, reactive process is exactly what I'm saying is fundamentally broken and ineffectual, and will never succeed.

Please go back and read my posts more carefully. You're not responding to what I wrote.

Have you ever played Go? If not, I humbly suggest you read up on it, particularly the concepts of sente and gote:

I should read what you posted . . eg you *talked* about:
@antibozo
"the construction of a distributed, fast alerting system for ISPs, which is what people who care about spam and phishing should *really* be working on rather than doing busywork shutting down domains when it takes the phisher five minutes to set up a new one."

What you've done, you'll keep on doing ad nauseam, and keep falling further behind, because, again, the spammers and botherders are making money at it, and you aren't. Spammers and botherders have all of the initiative in the game the way it's currently played, even though they're vastly outnumbered by the people trying to quash them.

And, besides, you didn't read far enough:

antibozo> The point is to build a system that goes beyond helping people report malicious nodes [what you built], and provides a robust *service* that automated processes can *trust* [what is needed].

The stuff currently available could be used to DOS vast tracts of the Internet if an ISP ever built an *automated* system that *trusted* it. As a starting point, imagine if a malicious user can forge ISP malware notifications about, say, all the IPs of the people on IRC he doesn't like. Again:

antibozo> If you want an advantage against the botnets, you need to get human beings out of the mix at the mitigation end.

I.e. no ISP help/abuse desk needed, no human DHCP log reviews needed. Botnet IPs are submitted by humans and honeypots, validated by weighted human participants, rendered into *trustable* data, after which *automated* ISP (or gonzo, if necessary, see above) processes blackhole or throttle the IPs, immediately, no further human intervention needed. We trust spamhaus RBLs enough to include them directly in mailserver configs. *That's* the kind of process and trust I'm talking about. And getting there requires changing tactics, radically--stop wasting time on cosmetic surgery and build an immune system.

Look, I don't mean to discourage you. I spent plenty of time over the years fighting spammers, and I know it's time-consuming, tedious work, and if people weren't still doing it things would be even worse (as difficult as that is to imagine). But I've come to the personal conclusion that the methods need to change. I'm making a few suggestions here that I think could be part of a solution. No, I don't have time to build such a thing myself; if it were a sourceforge project I might pitch in, though. I think OpenDNS and the Phishtank API are a definite step in the right direction.

can anyone explain why Gandi Sarl is highlighted in black in the table of "10 worst"? Why is the least applicable contender singled out for special treatment, other than to accentuate the obvious error?

A retraction from Washington Post an an apology for its error might go some way to avoiding litigation for libel.

My point was not that I don't think we need an automated way to notify ISPs, but that we need ISPs once notified to actually act on the information. If they aren't willing to devote the resources to create systems, automated or otherwise, to act on the volume of reports they are getting from humans, how can we make them act on what could potentially be a much larger volume of automated reports? If they aren't willing to give weight to reports from people and agencies that regularly provide reliable information in the most accessible form possible, why should they do any differently for yet another abuse reporting project trying to get off the ground?

AlphaCentauri> My point was not that I don't think we need an automated way to notify ISPs, but that we need ISPs once notified to actually act on the information.

Did you read anything I wrote?

AlphaCentauri> If they aren't willing to give weight to reports from people and agencies that regularly provide reliable information in the most accessible form possible, why should they do any differently for yet another abuse reporting project trying to get off the ground?